While working with a customer to get them onboarded in a VMware NSX (NSX-T) based Cloud Director environment, a use case for NO SNAT rules presented itself that I want to share.
In this case the customer has an NSX-T based Edge gateway (T1) connected to a dedicated (VRF based) T0 for route advertisement. Check my previous post about Inter Tenant routing in Cloud Director for some background on the matter.
To explain the background of this case, the customer has a couple of public IP addresses assigned to their Edge gateway for internet access. Additionally they require upstream advertisement of Cloud Director (VCD) routed networks to communicate with their on-premises environment.
For internet access an SNAT rules is used for their VM’s to access the internet. The same VM’s also needed to connect to the customers on-premises network without using NAT using their private IP. That’s where the NO SNAT rules comes into play.
Generic SNAT rule
When SNAT rules are created for internet access, all upstream traffic is translated to the public IP address. That’s fine to access the internet, but not when it’s needed to access an on-premises network.
That’s because SNAT rules are often used for internet access. In that case the destination network is often “ANY”. Therefore the SNAT rule is triggered for all traffic leaving the Edge gateway.
NO SNAT Rule
A possible solution is to create a NO SNAT rule in Cloud Director or VMware NSX for a specific destination IP or CIDR with a higher priority than the generic SNAT rule used for internet access. When multiple NAT rules are used, the priority is used to determine the processing order.
When configuring the NO SNAT rule, the destination IP or CIDR and rule priority should be configured. In VCD the priority can be found in the “Advanced” section of the NAT rule. A lower number has a higher priority. The default priority for a new rule is 0 (highest priority).
The default SNAT rule for internet access should be modified to 10, while the NO SNAT rule should be set to 5. In that case the NO SNAT is hit first and allows traffic to flow to the on-premises network without being translated.
Configuring in VCD
Configuring in NSX
In both situations, don’t forget to modify the priority of the default SNAT to 10.
NO SNAT rules are an excellent use-case to reach any type of remote network (on-premises or hyperscaler) without translating the VM’s source IP in cases when the Edge gateway is also used for internet access.
Add an SNAT or a DNAT Rule to an NSX-T Edge Gateway (VCD 10.4)
Configure NAT/DNAT/No SNAT/No DNAT/Reflexive NAT (VMware NSX 4.0)